In this article

Enable mailbox auditing in Office 365

10/18/2018

8 minutes to read

Contributors

In this article

In Office 365, you can turn on mailbox audit logging to log mailbox access by mailbox owners, delegates, and administrators. By default, mailbox auditing in Office 365 isn't turned on. That means mailbox auditing events won't appear in the results when you search the Office 365 audit log for mailbox activity. But after you turn on mailbox audit logging for a user mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. To log (and then search for) additional actions, see Step 3.

Before you begin

You have to use Exchange Online PowerShell to enable mailbox audit logging. You can't use the Office 365 Security & Compliance Center or the Exchange admin center.

You can't enable mailbox audit logging for the mailbox that's associated with an Office 365 Group or a team in Microsoft Teams.

An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

Step 1: Connect to Exchange Online PowerShell

On your local computer, open Windows PowerShell and run the following command.

$UserCredential = Get-Credential

In the Windows PowerShell Credential Request dialog box, type user name and password for an Office 365 global admin account, and then click OK.

Step 2: Enable mailbox audit logging

After you connect to your Exchange Online organization, use PowerShell to enable mailbox audit logging for a mailbox. Alternatively, you can enable mailbox auditing for all mailboxes in your organization.

Step 3: Specify owner actions to audit

When you enable auditing for a mailbox, some actions performed by the mailbox owner are audited by default. You have to specify other owner actions to audit. See the table in the Mailbox auditing actions section for a list and description of owner actions that are logged by default and the other actions that can be audited.

This example adds the MailboxLogin and HardDelete owner actions to mailbox auditing for Pilar Pinilla's mailbox. This example assumes that mailbox auditing has already been enabled for this mailbox.

This example enables mailbox audit logging for Don Hall's mailbox and specifies that only the MailboxLogin action performed by the mailbox owner will be logged. Note that this example overwrites the default UpdateFolderPermissions action.

Set-Mailbox "Don Hall" -AuditEnabled $true -AuditOwner MailboxLogin

This example adds the MailboxLogin, HardDelete, and SoftDelete owner actions to all mailboxes in the organization. This example assumes that mailbox auditing has already been enabled for all mailboxes.

A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.

Mailbox auditing actions

The following table lists the actions that can be logged by mailbox audit logging. The table includes which action can be logged for the different user logon types. In the table, a No indicates that an action can't be logged for that logon type. An asterisk ( * ) indicates that the action is logged by default when mailbox audit logging is enabled for the mailbox.

Action

Description

Admin

Delegate***

Owner

Copy

A message was copied to another folder.

Yes

No

No

Create

An item is created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox; for example, a new meeting request is created. Note that creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.

Yes*

Yes*

Yes

FolderBind

A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox.

Yes

Yes**

No

HardDelete

A message was purged from the Recoverable Items folder.

Yes*

Yes*

Yes

MailboxLogin

The user signed in to their mailbox.

No

No

Yes

MessageBind

A message was viewed in the preview pane or opened.

Yes

No

No

Move

A message was moved to another folder.

Yes

Yes

Yes

MoveToDeletedItems

A message was deleted and moved to the Deleted Items folder.

Yes*

Yes*

Yes

SendAs

A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.

Yes*

Yes*

No

SendOnBehalf

A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.

Yes*

Yes*

No

SoftDelete

A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.

Yes*

Yes*

Yes

Update

A message or its properties was changed.

Yes*

Yes*

Yes

UpdateCalendarDelegation

A calendar delegation was assigned to a mailbox. Calendar delegation gives someone else in the same organization permissions to manage the mailbox owner's calendar.

Yes*

No

Yes*

UpdateFolderPermissions

A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.

Yes*

Yes*

Yes*

UpdateInboxRules

An inbox rule has been added, removed, or changed. Inbox rules are used to process messages in the user's Inbox based on the specified conditions and take actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message.

Yes*

Yes*

Yes*

Note

* Audited by default if auditing is enabled for a mailbox.

** Entries for folder bind actions performed by delegates are consolidated. One log entry is generated for individual folder access within a time span of 24 hours.

*** An administrator who has been assigned the Full Access permission to a user's mailbox is considered a delegate user.

If you no longer require certain types of mailbox actions to be audited, you should modify the mailbox's audit logging configuration to disable those actions. Existing log entries aren't purged until the retention age limit for audit log entries is reached. For more information about the retention age for audit log entries, see the "Before you begin" section in Search the audit log in the Office 365 Security & Compliance Center.

Use the Office 365 audit log to search for mailbox activity that have been logged. You can search for activity for a specific user mailbox. The following screenshot shows a list of mailbox activities that you can search for in the Office 365 audit log. Note that these activities are the same actions that are described in the "Mailbox auditing actions" section in this topic.

The following table describes each mailbox activity that you can search for and shows the corresponding mailbox auditing action.

When you enable audit logging for a mailbox, you can also specify which user actions (for example, accessing, moving, or deleting a message) will be logged for each logon type (admin, delegate, or owner).

To disable mailbox audit logging, run the following command:

Set-Mailbox -Identity <identity of mailbox> -AuditEnabled $false

The actions that are audited for each type of user aren't displayed when you run the Get-Mailbox cmdlet. But you can run the following commands to display all the audited actions for a specific user logon type.

You can also export a mailbox audit log and specify the entries to include for one or more users. Each entry in the report and the audit log includes information about who performed the action and when, the action performed , and whether the action was successful. For more information, see Export mailbox audit logs.

Feedback

We'd love to hear your thoughts. Choose the type you'd like to provide: